Club Log is Now a Logbook of The World Trusted Partner

ARRL’s curious LOTW password problem

Today the ARRL published this notice about password problems popping up for some LOTW program users:
An upgrade to the password-checking mechanism that authenticates
Logbook of The World (LoTW) users has caused log-in problems for some
clients. Under the system in place prior to approximately 2300 UTC on
September 19, the LoTW log-in system ignored the case of any characters
in a password when checking for a match, storing them all as lower-case.
The new system is case sensitive, however. While passwords once were
randomly generated, the ARRL IT staff recently implemented a new LoTW
password mechanism that lets users choose their own passwords. Under
this new system, when users first log in, their passwords are
encrypted.

Some users with mixed-case passwords attempting to log in were
rejected, however, because the system had stored their passwords as all
lower case. A subsequent modification allows the system to accept a
user’s mixed-case password and changes the stored password to the
user’s mixed-case specification. The issue also can present problems
for applications, such as logging programs, that employ a user’s
credentials to access a LoTW account.

Users who encounter trouble logging in to LoTW are being asked to enter
their passwords in all lower case. If that doesn’t work, contact the
LoTW Help Desk or explore other methods available for LoTW.

Any LoTW users who logged in before this modification was made — at
around 2300 UTC on September 19 — had their passwords stored in lower
case, no matter which case they used in entering them. These passwords
now must be entered as lower case. Users who changed to a password that
includes mixed-case letters must continue to enter that password in
mixed-case letters.

ARRL apologizes for underestimating the extent to which the lack of
password case sensitivity in the previous LoTW authentication mechanism
was going to cause problems for so many users.

What is curious to me about the above is that I should have been affected, but wasn’t. My password perfectly fits within the description above. But My LOTW account is completely unaffected — business as usual. The ARRL’s explanation is somehow only partially correct. Hopefully the ARRL will tell us more if and when it gets a better handle on this problem.

In my opinion the way LOTW used to handle passwords was inexcusably inept. Glad it’s finally on the right track? Also, some time back the ARRL website was hacked. The ARRL belatedly announced the hack, but never really fully explained how the hack took place or how reoccurrences would be prevented. Its announcement just minimized the hack. Sometimes I think the ARRL, when it comes to 21st century technology, is still in the 20th century.